RE: Pubstro rash
From: Nick FitzGerald (nick_at_virus-l.demon.co.uk)
Date: 03/17/05
- Previous message: k levinson: "RE: Pubstro rash"
- In reply to: David Gillett: "RE: Pubstro rash"
- Next in thread: Mark Coleman: "Re: Pubstro rash"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 18 Mar 2005 11:33:48 +1300 To: incidents@securityfocus.com
David Gillett wrote:
> Further detail: I'm being told that all of the compromised
> workstations are running 2KPro or NTW. So that suggests that
> the attackers are getting in through a hole that is fixed in
> XP or its service packs.
Or poor password policies...
Most pubstros I've seen succeed do so with just password guessing (and
relatively trivial guessing at that) -- not that they don't have other
methods, just that pwd guessing gets them plenty of victims. Are these
machines visible to the world for any kind of standard NT
authentication connections? If so, start with the simplest (and
probably most likely), which is user slackness (blank, "admin",
"guest", "pass", "aaaaa", "qwerty", "12345", etc passwords).
Vulns common to NT and 2K but not XP would be fairly rare (other than
in non-XPSP2 IE 6??), unless you have very limited patch control over
non-XP machines but good control of XP patching.
Regards,
Nick FitzGerald
- Previous message: k levinson: "RE: Pubstro rash"
- In reply to: David Gillett: "RE: Pubstro rash"
- Next in thread: Mark Coleman: "Re: Pubstro rash"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
